emerging technology for connectivity
TRANSCRIPT
![Page 1: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/1.jpg)
Emerging technologyfor connectivityAccelerating digital transformationin LDCs, LLDCs and SIDS
ITU Digital Financial Services Security Lab
8 July 202110:00 – 11:00 AM, CEST
Arnold Kibuuka, ITU
![Page 2: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/2.jpg)
DFS Security Lab
There is not a common approach for regulators, developers and DFS providers to test DFS mobile apps in a complex mobile ecosystem in order to
provide/verify the level of assurance on security.
The DFS security lab provides a common methodology to conduct
security audit for DFS applications and address systemic
vulnerabilities.
![Page 3: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/3.jpg)
DFS Security Lab
Collaborate with DFS regulators and DFS providers to enhance the cybersecurity strategy for DFS and security assurance of the DFS ecosystem by implementing the recommendations in the DFS Security Assurance Framework, methodology for testing of USSD, STK and Android apps and DFS Security Audit Guidelines.
https://figi.itu.int/figi-resources/working-groups/
![Page 4: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/4.jpg)
DFS Security Lab Objectives
Collaboration with DFS regulators on security
Knowledge sharing on threats to security of DFS
apps
Organise security clinicsAssist DFS regulators to evaluate the cyber preparedness for DFS
ecosystem
Encourage adoption of international standards on
DFS security
Perform DFS security audits of DFS Apps
![Page 5: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/5.jpg)
DFS Security Lab Components
Security audit of Android DFS apps
using OWASP Mobile Top 10 Risks.
Developer resources for strong authentication
using FIDO
Security testing for USSD and STK
![Page 6: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/6.jpg)
USSD & STK Security Tests
d. Simulate man-in-the-middle attacks on STK based DFS applications
b. Testing susceptibility to binary OTA attacks (SIM jacker, WIB attacks)
c. Testing remote USSD execution attacks
a. SIM Swap and SIM clone testing
*100#
*100# *100
#
*stkmsg#
*mstkmsg#
![Page 7: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/7.jpg)
Android DFS security tests (based OWASP Mobile Top 10 Risks)
Risks Security test
M1 Improper Platform UsageCheck misuse of platform features or failing to use platform security controls provided
M2 Insecure Data StorageCheck that malware and other apps do not have access to DFS sensitive information
M3 Insecure CommunicationCheck that communication channels are encrypted
M4 Insecure AuthenticationAuthentication cannot easily be bypassed
M5 Insufficient Cryptography Check crypto algorithms used
M8 Code TamperingCheck whether it is possible to modify the code
M9 Reverse engineering Decompile source code7
![Page 9: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/9.jpg)
Emerging technologyfor connectivityAccelerating digital transformationin LDCs, LLDCs and SIDS
5 -19 July
![Page 10: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/10.jpg)
Mobile payment appsTesting for vulnerabilities using the OWASP Mobile Top Ten
Philippe Oechslin, Objectif Sécurité
![Page 11: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/11.jpg)
Executive summary
• Developed method for testing DFS apps on Android• 18 tests organized according to OWASP mobile top ten
• Tested 3 applications• Payment applications
• They all have different ways of not implementing the best practices!• No critical issue detected
![Page 12: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/12.jpg)
1 Introduction
• DFS: Applications used for payment and money transfer without the need of having a bank account
• OWASP: The Open Web Application Security Project www.owasp.org• A collaborative, non-for-profit foundation that works to improve the
security of web applications• Also works on security of mobile applications
• OWASP Mobile Top Ten• OWASP project that aims to identify and document the top ten
vulnerabilities of mobile applications
![Page 13: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/13.jpg)
2 The tests
• Our tests are organized according to the subjects of the OWASP Mobile Top Ten:
• M1 Improper Platform Usage• M2 Insecure Data Storage• M3 Insecure Communication• M4 Insecure Authentication• M5 Insufficient Cryptography• M6 Insecure Authorization• M7 Client Code Quality• M8 Code Tampering• M9 Reverse Engineering• M10 Extraneous Functionality
• M6, M7, M10 out of scope because they would need access to the source code or require collaboration with the editor
![Page 14: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/14.jpg)
M1 Improper Platform Usage
The application should make correct use of the features of the platform (phone’s operating system)
• Allow cloud backup,
• debugging,
• install location,
• dangerous permissions
![Page 15: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/15.jpg)
M2 Insecure Data Storage
Data should be stored in a way that limits the risks in case of loss or compromise of the phone
• Use of external storage
• Disabling screenshots
![Page 16: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/16.jpg)
M3 Insecure Communication
Protect against eavesdropping and manipulation of traffic
• Use of HTTPS
• Only accept trusted certificates
• Only accept a specified certificate
• App manifest should not allow clear text traffic
![Page 17: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/17.jpg)
M4 Insecure Authentication
Prevent unauthorized access to the application
• Request pin/fingerprint before accessing sensitive information
• Inactivity timeout
• Handling of new fingerprints
![Page 18: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/18.jpg)
M5: Insufficient Cryptography
Cryptography can only protect confidentiality and integrity of data if correctly implemented
• Do not use unsafe crypto primitives (e.g. MD5, SHA-1, RC4, DES, 3DES, Blowfish, ECB)
• Configure HTTPS according to best practices
![Page 19: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/19.jpg)
M8: Code Tampering
Prevent an attacker from tampering the code on the telephone
• Refuse to run on a rooted device
![Page 20: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/20.jpg)
M9 Reverse engineering
Prevent attackers from analyzing the logic of the application
• Obfuscate the code
28.09.2020 Ph. Oechslin 12
![Page 21: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/21.jpg)
3. Results
• Three applications have been tested with the same method
• Only failed tests are described below
28.09.2020 Ph. Oechslin 13
![Page 22: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/22.jpg)
3.1 App1
Payment app, backed by a bank account, credit card or prepaid
Has permission to write to external storage external storage and, if it did, that this data is sensible.
Uses the weak crypto (MD5 and SHA-1, ECB), probably not for critical data
Interception of data shows names, phone numbers and amounts in clear inside HTTPS connection
Runs on rooted devices
28.09.2020 Ph. Oechslin 14
![Page 23: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/23.jpg)
3.2 App2
App2 is provided by a mobile network operator that provides digital financial services in areas in which they operate across Africa
• Sends some traffic in clear text (not sensitive data)
• Does not require a PIN or fingerprint every time, PUK can be accessed
• Uses the weak crypto (SHA-1, random number generator), probably not for critical data
![Page 24: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/24.jpg)
3.3 App3
App3 is also provided a mobile operator and in several countries across Africa and Asia. The app makes it possible for users to send money to contacts, pay for goods and services
Screenshot is not disabled when running
Trusts the certificates trusted by the phone (enables interception)
Requires permission to send clear text traffic
Does not require a PIN or fingerprint every time, balance can be accessed
Uses the weak crypto (MD5, SHA-1, random number generator), probably not for critical data
![Page 25: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/25.jpg)
Summary of results
• No critical vulnerabilities were detected but• App1 has no application-level encryption
• App2 displays PUK without requiring PIN
0
25
50
75
100
M1:Improper
platform usage
M2:Insecure
Data Storage
M3:Insecure
Communication
M4:Insecure
Authentication
M5:Insufficient
Cryptography
M8:Code
Tampering
M9:Reverse
Engineering
App1
App2
App3
![Page 26: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/26.jpg)
4 Conclusions
• The tests allow an independent evaluation of the security of DFS apps
• Done locally, without access to code or server
• Detects missing best practices
• Detailed analysis of impact would require collaboration of the provider
• Provider could do more for security and transparency• Open source their applications
• Offer Bug bounty programmes
![Page 27: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/27.jpg)
Emerging technologyfor connectivityAccelerating digital transformationin LDCs, LLDCs and SIDS
Blockchain and Cybersecurity challenges and opportunities for emerging economies
Blockchain for financial inclusion
8 July 202110:00 – 11:00 am, CEST
By Suzana Maranhão Moreno, BNDES
![Page 28: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/28.jpg)
An option to
generate TRUST
DLT/Blockchain
![Page 29: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/29.jpg)
Relevant Factors for not having a Banking Account
MAJORNot enough money / too expensive
Family member already has account
Lack of necessary documentation
Too far away
Refs: http://www.fatf-gafi.org/media/fatf/documents/reports/AML_CFT_Measures_and_Financial_Inclusion_2013.pdfhttps://www.worldbank.org/content/dam/Worldbank/Research/GlobalFindex/PDF/N2Unbanked.pdfhttps://www-forbes-com.cdn.ampproject.org/c/s/www.forbes.com/sites/yayafanusie/2021/01/01/stop-saying-you-want-to-bank-the-unbanked/amp/
![Page 30: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/30.jpg)
Can DLT help to make financial services cheaper?
Digitalization many times leads to more affordable services.DLT is a technology to that, enabling some new possibilities and permissionless innovation.
Remittance
Stablecoin
DeFi
CBDC
Payments
![Page 31: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/31.jpg)
Finanças Descentralizadas
LendingTrading
Payments
ExchangesInsurance
Can DLT help to make financial services cheaper?
Ref.: WEF, Decentralized Finance (DeFi) Policy-Maker Toolkit
![Page 32: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/32.jpg)
Can DLT increase aid to vulnerable people?
From Hyperledger Global Forum:
Transparency -> Accountability -> Empathy -> Action
Technology may help to increase the trust and transparency of social projects, leaded by private or public sector. follow the money
compliance by design
hyper-transparency
programmable money
![Page 33: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/33.jpg)
Can DLT help to create market opportunities to vulnerable people?
Technology may enable new business models, data ownership and new relationships based on trust.
Recycling activities more transparent and valuable
Farmers with data ownership in supply chain
![Page 34: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/34.jpg)
Relevant Factors for not having a Banking Account
MAJORNot enough money / too expensive
Family member already has account
Lack of necessary documentation
Too far away
Refs: http://www.fatf-gafi.org/media/fatf/documents/reports/AML_CFT_Measures_and_Financial_Inclusion_2013.pdfhttps://www.worldbank.org/content/dam/Worldbank/Research/GlobalFindex/PDF/N2Unbanked.pdfhttps://www-forbes-com.cdn.ampproject.org/c/s/www.forbes.com/sites/yayafanusie/2021/01/01/stop-saying-you-want-to-bank-the-unbanked/amp/
![Page 35: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/35.jpg)
Can DLT help to deal with the lack of documentation?
DID, VC, SSIWeb of Certifiers – open ecosystem of certifiers and conditions
Id + verifiable credit history
Refs: https://www.w3.org/TR/did-core/https://www.w3.org/TR/vc-data-model/https://www.kiva.org/https://www.igi-global.com/chapter/a-survey-of-kycaml-for-cryptocurrencies-transactions/261722https://www.defi-for-good.com/
![Page 36: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/36.jpg)
ITU-T DLT Technical Interoperability Framework
Chain A
Node 1
Node 2 Node 3
Chain B
Node 1
Node 2 Node 3
Off-chain Data
Finacial Data Government Data Industrial Data Others
Application
Fiancial
Application
Government
Application
Industrial
ApplicationOthers
2 2
33
1
Refs: ITU DLT Meet-ups - https://www.itu.int/en/ITU-T/webinars/Pages/dlt.aspx (see first episode)SG16/Q22 H.DLT-TFI - Technical Framework for distributed ledger technology (DLT) Interoperability
![Page 37: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/37.jpg)
hso.com
GOVERNANCE
NETWORK
SERVICES
Foster innovation for public interest applications, withspecial emphasis on enabling trust for anti-fraud and pro-
transparency measures. (aligned with Brazilian Digital Government Strategy 2020-2022)
111#Nodes
58#Entities with Nodes
15#Countries
https://www.lacchain.net/
Lacchain and Brazilian Blockchain Network
Focus on Inclusion
![Page 38: Emerging technology for connectivity](https://reader031.vdocument.in/reader031/viewer/2022022811/621b7889981a7911b66e8f86/html5/thumbnails/38.jpg)
Emerging technologyfor connectivityAccelerating digital transformationin LDCs, LLDCs and SIDS
5 -19 July
By Suzana Maranhão Moreno, [email protected]